On 7 November 2014 the Polish Parliament passed the Act on the Facilitation of Business Activity which substantially amends the existing Act on Personal Data Protection. As we previously reported, this new Act requires an administrator for information security to be given an independent position within the data controller’s organization. Additionally, the new Act introduces provisions facilitating the transfer of personal data to countries outside the European Economic Area (further implementing provisions from Directive 95/46/EC and the proposed draft General Data Protection Regulation). The new law will come into force on 1 January 2015.

Administrator of Information Security (AIS)

According to the amendment, a data controller who appoints an AIS is only required to register personal data filing systems which contain sensitive data with the Polish Data Protection Authority (DPA). Currently, all personal data filing systems are subject to a registration obligation. Data controllers who choose not to appoint an AIS will still be required to register personal data filing systems that are maintained electronically (which, in itself, constitutes an alleviation of the existing registration obligations which concern all data filing systems whether paper or electronic).

The appointment of an AIS by a data controller must be registered with the DPA and the DPA will maintain a publicly available register of each person appointed as an AIS in Poland. These measures will help to ensure the AIS’s independence in the performance of their duties. Apart from existing obligations such as ensuring compliant personal data processing and maintaining appropriate documentation, etc., the AIS will also be required to maintain a publicly available register of data filing systems and to verify compliance of data processing with the applicable rules upon the DPA’s request.

The amendment expressly allows all data controllers to decide whether or not to appoint an AIS (currently a mandatory requirement for legal persons (e.g., companies)).

Standard Contractual Clauses and Binding Corporate Rules (BCR)

The amendments aim to facilitate the transfer of personal data without the need for a separate authorization from the DPA to those countries outside the European Economic Area which do not provide an adequate level of data protection.

According to the new rules, this will be possible in two instances. Firstly, if the data transfer agreement contains unamended standard contractual clauses previously approved by the European Commission (available at the European Commission’s website), and secondly, if the transfer of personal data takes place on the basis of binding corporate rules (e.g., an internal binding data privacy policy framework), also previously approved by the DPA.

According to the Polish Government’s published reasons for the amendment (also confirmed by the DPA), the DPA will also be entitled to approve BCRs used by data processors, for instance, suppliers providing outsourcing or cloud computing services. Data controllers using the services of such data processors will therefore not be required to obtain separate authorization from the DPA for the transfer of personal data outside the EEA (so long as the data transfer is within the scope of the approved BCR for processors).

With respect to the BCR approval procedure, the amendment aims to allow the Polish DPA to participate in the mutual recognition procedure. Under the new law, the DPA will be able to recognize BCRs also solely on the basis of decisions issued by other data protection authorities within the EEA. Time will tell whether the Polish DPA will use this option.

These changes are an expression of the Polish Government’s efforts to make doing business in Poland easier by reducing bureaucracy and recognising the international nature of data transfers.